From 4b8e1c2d7fa7d2260b144d32987b52e0df392fd2 Mon Sep 17 00:00:00 2001
From: Grégoire Duchêne <gduchene@awhk.org>
Date: Sun, 30 Jan 2022 14:38:43 +0000
Subject: Lock down systemd unit definition

---
 systemd/go-import-redirect.service | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

(limited to 'systemd')

diff --git a/systemd/go-import-redirect.service b/systemd/go-import-redirect.service
index 38d8023..86f02a3 100644
--- a/systemd/go-import-redirect.service
+++ b/systemd/go-import-redirect.service
@@ -6,7 +6,34 @@ Description=go-import-redirect
 
 [Service]
 ExecStart=go-import-redirect
+
+CapabilityBoundingSet=
 DynamicUser=true
+IPAddressDeny=any
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateNetwork=true
+PrivateTmp=true
+PrivateUsers=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+RestrictAddressFamilies=none
+RestrictNamespaces=true
+RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+UMask=0077
 
 [Install]
 WantedBy=multi-user.target
-- 
cgit v1.2.3-70-g09d2